云计算中数据隐私保护研究进展

由于社会分工和资源共享的必然,公共云平台必将成为和电网、互联网等同等重要的国家基础设施。云计算面临的安全问题制约着云计算的广泛使用。数据安全在云计算中尤为重要,如何保证数据的安全性是云计算安全的核心。从数据的隐私保护计算、数据处理结果的完整性认证、数据访问权限控制以及数据的物理安全4个方面对已有研究工作进行了分类和总结,为后续云计算中数据的安全性研究提供参照。     

Secure Data Access and Sharing Scheme for Cloud Storage

Cloud storage is a new storage mode emerged along with the development of cloud computing paradigm. By migrating the data to cloud storage, the consumers can be liberated from building and maintaining the private storage infrastructure, and they can enjoy the data storage service at anywhere and anytime with high reliability and a relatively low cost. However, the security and privacy risks, especially the confidentiality and integrity of data seem to be the biggest hurdle to the adoption of the cloud storage applications. In this paper, we consider the secure data access and sharing issues for cloud storage services. Based on the intractability of the discrete logarithm problem, we design a secure data access and data sharing scheme for cloud storage, where we utilize the user authentication scheme to deal with the data access problem. According to our analysis, through our scheme, only valid user with the correct password and biometric can access to the cloud storage provider. Besides, the authorized users can access the rightful resources and verify the validity of the shared data, but cannot transfer the permission to any other party. At the same time, the confidentiality and integrity of data can be guaranteed.

     

采用加密机制在云计算环境中进行访问控制

从数据的隐私角度来讲,公有云的服务提供商对用户来说是不可信的。为保障用户数据私密性,需要采用加密技术在云计算这种开放互联的环境中对托管数据进行访问控制。文中对广播加密机制和CPK组合公钥密码机制在云计算环境中的访问控制应用进行了探讨,并对这两种加密机制的主要理论基础——多项式插值法、多线性映射,以及ECC复合定理进行了介绍。通过加密技术的应用,为实现在云计算等不可信的空间安全存取敏感数据提供了一种研究思路。     

Assessing Teacher’s Performance Evaluation and Prediction Model Using Cloud Computing Over Multi-dimensional Dataset

The main objective is to create a secured classifier for datasets based on clustering algorithm. K-means algorithm is one of the efficient techniques for mining large databases based on cloud computing platform to store large database with least cost. Cloud computing allows users to outsource their data. For multi-dimensional data the clustering technique is implemented which performs clustering of related elements without advance knowledge. The K-nearest neighbor classification is analyzed by using dataset under different conditions of parameters. In view of the above, the development of data management with a cloud computing is gaining more attention towards multi-dimensional datasets. It is a challenging task to obtain secured data in evolution of data mining technique based on cloud computing employed using classifier techniques. Quality of education depends largely on teacher’s ability, performance, knowledge, assessment and prediction on the basis of data mining techniques and clustering. These approaches permit the educational institution to decide and evaluate the classification rule to determine and recruit the best teacher based on knowledge by using cloud database which is a challenging task. The proposed technique provides secured cloud computing details regarding teacher’s recruitment, privacy of user’s input query, selecting the best teacher and hides the access patterns on cloud. The proposed idea is computed by extracting the data and proves that it provides better accuracy for selecting the best teachers and also improves the speed and constancy of recruitment application. The teacher’s recruitment is used in evaluating the ranks based on performance so that, the institution takes a better decision for recruitment.

     

EECDH to prevent MITM attack in cloud computing

Cloud computing has reached the peak of Gartner hype cycle, and now the focus of the whole telecom industry is the ability to scale data storage with minimal investment. But data privacy and communication issues will occur with the increment of the cloud data storage. The key privacy concern for scalability is caused by the dynamic membership allocation and multi-owner data sharing. This paper addresses the issues faced by multiple owners through a mutual authentication mechanism using the Enhanced Elliptic Curve Diffie - Hellman (EECDH) key exchange protocol along with the Elliptic Curve Digital Signature Algorithm (ECDSA). The proposed EECDH scheme is used to exchange the secured shared key among multiple owners and also to eliminate the Man-In-The-Middle (MITM) attacks with less computational complexity. By leveraging these algorithms, the integrity of data sharing among multiple owners is ensured. The EECDH improves the level of security only slightly increasing the time taken to encrypt and decrypt the data, and it is secured against the MITM attacks, which is experimented using the AVISPA tool.     

具有隐私保护的云存储访问控制方案

针对传统的访问控制方案无法在云计算环境下保护用户的属性隐私,提出了具有隐私保护的云存储访问控制方案。采用混合加密体制实现了数据的机密性,即利用对称密钥加密明文数据,再利用公钥密码体制对对称密钥进行加密。在新的访问控制方案中,公钥加密采用了匿名的密文策略下基于属性的加密技术。安全性分析表明,新方案在保护用户属性隐私的同时,达到了选择明文安全性,可抵抗恶意用户及云存储服务器的合谋攻击。     

Cloud storage scheme based on closed-box encryption

Aiming at protecting the confidentiality of data for cloud storage users,a scheme that encrypt data in cloud service providers was presented.The scheme constructed a closed-box computing environment by virtual machine isolation technique,improved algorithm of RSA to change keys without having to produce large prime numbers,transfer data and keys through SSL and encrypted data in the closed computing environment before storing to the distributed file system.Closed-box computing environment can prevent attacks from cloud administrators and malicious applications in the operating system.It also can guard against data leakage effectively.The result of experiment shows that the confidentiality of data improved and the performance loss is decreased considering to other cloud storage scheme that encrypt data in cloud.     

A subtree‐based transformation model for cryptosystem using chaotic maps under cloud computing environment for fuzzy user data sharing

Cloud computing technologies have been prospering in recent years and have opened an avenue for a wide variety of forms of adaptable data sharing. Taking advantage of these state‐of‐the‐art innovations, the cloud storage data owner must, however, use a suitable identity‐based cryptographic mechanism to ensure the safety prerequisites while sharing data to large numbers of cloud data users with fuzzy identities. As a successful way to guarantee secure fuzzy sharing of cloud data, the identity‐based cryptographic technology still faces an effectiveness problem under multireceiver configurations. The chaos theory is considered a reasonable strategy for reducing computational complexity while meeting the cryptographic protocol's security needs. In an identity‐based cryptographic protocol, public keys for individual clients are distributed, allowing the clients to separately select their own network identities or names as their public keys. In fact, in a public‐key cryptographic protocol, it is for the best that the confirmation of the public key is done in a safe, private manner, because this way the load of storage on the server's side can be considerably relieved. The objective of this paper is to outline and examine a conversion process that can transfer cryptosystems using Chebyshev's chaotic maps over the Galois field to a subtree‐based protocol in the cloud computing setting for fuzzy user data sharing, as opposed to reconcocting a different structure. Furthermore, in the design of our conversion process, no adjustment of the original cryptosystem based on chaotic maps is needed.     

云环境下的数据多副本安全共享与关联删除方案

针对共享在公共云环境的用户数据因所有权与管理权分离而导致的用户隐私泄露问题,结合对称加密算法、属性加密算法和副本定位技术,提出一种云环境下的数据多副本安全共享与关联删除方案,对用户数据进行加密等处理封装成副本关联对象(RAO, replication associated object),随后将RAO共享到云服务商,建立副本关联模型对RAO所产生副本进行管理并实现关联删除。分析表明方案是安全与有效的,能够对用户共享的数据及其副本进行安全共享与关联删除,有效保障了数据多副本的隐私安全。     

一种基于ORAM的数据可恢复性证明与访问模式的隐藏

随着云计算的发展与应用,越来越多的客户选择云存储作为存储媒质,因此,数据的完整性和私密性成为客户关心的主要问题。基于无关RAM模型机提出一种新的结构,将客户文件分割成大小相等的数据块,每个数据块在云存储中有两个备份,且随机地存储在不同的文件中,以保证数据的完整性。利用同态散列算法验证数据的可持有性,通过无关RAM隐藏客户对服务器的访问模式,敌手无法从客户的数据访问模式中获取有用的信息,从而实现了数据的私密性。     

Layered data aggregation with efficient privacy preservation for fog‐assisted IIoT

The emergence of fog computing facilitates industrial Internet of Things (IIoT) to be more real‐time and efficient; in order to achieve secure and efficient data collection and applications in fog‐assisted IIoT, it usually sacrifices great computation and bandwidth resources. From the low computation and communication overheads perspective, this paper proposes a layered data aggregation scheme with efficient privacy preservation (LDA‐EPP) for fog‐assisted IIoT by integrating the Chinese remainder theorem (CRT), modified Paillier encryption, and hash chain technology. In LDA‐EPP scheme, the entire network is divided into several subareas; the fog node and cloud are responsible for local and global aggregations, respectively. Specially, the cloud is able to obtain not only the global aggregation result but also the fine‐grained aggregation results of subareas, which enables that can provide fine‐grained data services. Meanwhile, the LDA‐EPP realizes data confidentiality by the modified Paillier encryption, ensures that both outside attackers and internal semi‐trusted nodes (such as, fog node and cloud) are unable to know the privacy data of individual device, and guarantees data integrity by utilizing simply hash chain to resist tempering and polluting attacks. Moreover, the fault tolerance is also supported in our scheme; ie, even though some IIoT devices or channel links are failure, the cloud still can decrypt incomplete aggregation ciphertexts and derive expected aggregation results. Finally, the performance evaluation indicates that our proposed LDA‐EPP has less computation and communication costs.     

智慧医疗中基于属性加密的云存储数据共享

在电子病历系统中,为了实现多用户环境下的数据搜索,该文提出一种属性基可搜索加密方案。该文将密文和安全索引存储在医疗云,当用户请求医疗数据时,利用属性基可搜索加密算法进行数据搜索,实现了细粒度访问控制。同时方案引入了密文验证算法,解决了半诚实且好奇的云服务器模型下搜索结果不正确的问题。利用数据去重技术实现了重复数据的消除,减少占用医疗云的存储空间。方案同时实现了访问策略的隐藏,保证了数据用户的隐私安全。安全性分析表明,所提方案能很好地保护用户的隐私以及数据的安全。性能分析表明,该方案具有较好的性能,更加适用于智慧医疗等多对多应用场景,有效实现了医生和第三方数据用户在不侵犯患者隐私的前提下共享患者电子病历。     

Secure and privacy‐preserving keyword search retrieval over hashed encrypted cloud data

Cloud computing (CC) is the universal area in which the data owners will contract out their pertinent data to the untrusted public cloud that permits the data users to retrieve the data with complete integrity. To give data privacy along with integrity, majority of the research works were concentrated on single data owner for secure searching of encrypted data via the cloud. Also, searchable encryption supports data user to retrieve the particular encrypted document from encrypted cloud data via keyword search (KS). However, these researches are not efficient for keyword search retrieval. To trounce such drawbacks, this paper proposes efficient secure and privacy‐preserving keyword search retrieval (SPKSR) system, in which the user retrieves the hashed encrypted documents over hashed encrypted cloud data. The proposed system includes three entities explicitly, (a) data owner (DO), (b) cloud server (CS), and (c) data users (DU). The owner outsources hashed encrypted documents set, along with generated searchable index tree to the CS. The CS hoards the hashed encrypted document collection and index tree structure. DU performs the “search” over the hashed encrypted data. Experimental results of the proposed system are analyzed and contrasted with the other existent system to show the dominance of the proposed system.     

Blockchain-based continuous data integrity checking protocol with zero-knowledge privacy protection

The cloud computing technology has emerged, developed, and matured in recent years, consequently commercializing remote outsourcing storage services. An increasing number of companies and individuals have chosen the cloud to store their data. However, accidents, such as cloud server downtime, cloud data loss, and accidental deletion, are serious issues for some applications that need to run around the clock. For some mission and business-critical applications, the continuous availability of outsourcing storage services is also necessary to protect users' outsourced data during downtime. Nevertheless, ensuring the continuous availability of data in public cloud data integrity auditing protocols leads to data privacy issues because auditors can obtain the data content of users by a sufficient number of storage proofs. Therefore, protecting data privacy is a burning issue. In addition, existing data integrity auditing schemes that rely on semi-trusted third-party auditors have several security problems, including single points of failure and performance bottlenecks. To deal with these issues, we propose herein a blockchain-based continuous data integrity checking protocol with zero-knowledge privacy protection. We realize a concrete construction by using a verifiable delay function with high efficiency and proof of retrievability, and prove the security of the proposal in a random oracle model. The proposed construction supports dynamic updates for the outsourced data. We also design smart contracts to ensure fairness among the parties involved. Finally, we implement the protocols, and the experimental results demonstrate the efficiency of the proposed protocol.     

Privacy-Preserving Public Auditing for Non-manager Group Shared Data

By the widespread use of cloud storage service, users get a lot of conveniences such as low-price file remote storage and flexible file sharing. The research points in cloud computing include the verification of data integrity, the protection of data privacy and flexible data access. The integrity of data is ensured by a challenge-and-response protocol based on the signatures generated by group users. Many existing schemes use group signatures to make sure that the data stored in cloud is intact for the purpose of privacy and anonymity. However, group signatures do not consider user equality and the problem of frameability caused by group managers. Therefore, we propose a data sharing scheme PSFS to support user equality and traceability meanwhile based on our previous work HA-DGSP. PSFS has some secure properties such as correctness, traceability, homomorphic authentication and practical data sharing. The practical data sharing ensures that the data owner won’t loss the control of the file data during the sharing and the data owner will get effective incentive of data sharing. The effective incentive is realized by the technology of blockchain. The experimental results show that the communication overhead and computational overhead of PSFS is acceptable.     

Secure deduplication and integrity audit system based on convergent encryption for cloud storage

Cloud storage applications quickly become the best choice of the personal user and enterprise storage with its convenience,scalability and other advantages,secure deduplication and integrity auditing are key issues for cloud storage.At first,convergent key encapsulation/decoupling algorithm based on blind signature was set up,which could securely store key and enable it to deduplicate.Besides,a BLS signature algorithm based on convergence key was provided and use TTP to store public key and proxy audit which enables signature and pubic key deduplication and reduces client storage and computing overhead.Finally,cloud-based secure deduplicaion and integrity audit system was designed and implemented.It offered user with data privacy protection,deduplication authentication,audit authentication services and lowered client and cloud computation overhead.     

Proxy re-encryption based multi-factor access control scheme in cloud

Cloud computing is one of the space-ground integration information network applications.Users can access data and retrieve service easily and quickly in cloud.The confidentiality and integrity of the data cloud have a direct correspondence to data security of the space-ground integration information network.Thus the data in cloud is transferred with encrypted form to protect the information.As an important technology of cloud security,access control should take account of multi-factor and cipher text to satisfy the complex requirement for cloud data protection.Based on this,a proxy re-encryption based multi-factor access control (PRE-MFAC) scheme was proposed.Firstly,the aims and assumptions of PRE-MFAC were given.Secondly,the system model and algorithm was defined.Finally,the security and properties of PRE-MFAC were analyzed.The proposed scheme has combined the PRE and multi-factor access control together and realized the multi-factor permission management of cipher text in cloud.Meanwhile,it can make the best possible use of cloud in computing and storing,then reduce the difficulty of personal user in cryptographic computing and key managing.     

Design of a Guitar Shaped UWB Antenna with Wide Band Notched Characteristics for Wireless Applications

Cloud storage is a cloud based service which delivers scalable on demand on line storage of data and eliminates the need of maintaining local data centre. Storage of data in cloud brings many advantages such as lower-cost, metered service, scalable and ubiquitous access. However, it also raises concerns to its integrity; to save the storage space cloud service provider may delete some rarely access data. Data privacy is another issue which must be addressed to increase data owner’s trust. To address above issues, many researchers have proposed public auditing schemes to validate the integrity of data using third party auditor. These schemes generate metadata using data files on the owner side and store these metadata on the cloud storage along with the file data, which helps in auditing. These schemes address many concerns which arise due to remote data storage. However, computation cost involved for metadata generation at the data owner side is not properly addressed; another issue which is not properly addressed is an iniquitous third party auditor may be the source of denial of service attack by issuing constantly large number of audit request. Our scheme solves these issues by lowering the computation cost at data owner side and controlling the number of times a third party auditor can issue an audit request to the cloud storage. Our Scheme also supports secure access of data using conditional proxy re-encryption scheme and delegation of auditing task by the authorized third party auditor to another auditor for the specified period of times in the case of unavailability of authorized third party auditor.

     

云计算数据安全研究

随着云计算的快速发展和推广应用,在云计算环境中数据安全和隐私保护成为云计算研究中的关键问题。以数据全生命周期模型为基础,提出云计算环境中的数据安全和隐私保护框架,对云计算环境中数据安全和隐私保护的若干关键研究问题,包括密文检索、完整性验证和持有性证明、隐私保护及查询隐私进行了阐述,详细综述了全同态加密的发展、原理、意义及其在云计算数据安全和隐私保护中的应用,并指明了未来的研究方向。     

A secure regenerating code‐based cloud storage with efficient integrity verification

Cloud storage is gaining popularity as it relieves the data owners from the burden of data storage and maintenance cost. However, outsourcing data to third‐party cloud servers raise several concerns such as data availability, confidentiality, and integrity. Recently, regenerating codes have gained popularity because of their low repair bandwidth while ensuring data availability. In this paper, we propose a secure regenerating code‐based cloud storage (SRCCS) scheme, which utilizes the verifiable computation property of homomorphic encryption scheme to check the integrity of outsourced data. In this work, an error‐correcting code (ECC)–based homomorphic encryption scheme (HES) is employed to simultaneously provide data privacy as well as error correction while supporting efficient integrity verification. In SRCCS, server regeneration process is initiated on detection of data corruption events in order to ensure data availability. The ECC‐based HES significantly reduces the probability of server regeneration and minimizes the repair cost. Extensive theoretical analysis and simulation results validate the security, efficiency, and practicability of the proposed scheme.